Cyber awareness learning is “horses for courses”

Blog posted by: Ian Davies – Deputy Chairman of BMT Group and Senior Independent Director at the Institute of Chartered Accountants in England and Wales, 21 September 2016.

Different people respond differently to a variety of types and styles of cyber awareness training. With people being the crucial early warning system in a company’s defences against cyber-attack, Ian Davies considers why boards need to understand that a one-size-fits-all approach to cyber awareness learning and training is not going to reduce cyber risk sufficiently for them to have confidence in “people power”.

The quality of cyber awareness training in UK companies varies considerably, from those buying an off-the-shelf package through to expensive, specialist briefings.

Though not every company needs – as one PLC I know – to have cyber awareness training for 30 minutes every board meeting, it’s equally not good to employ annual “sheep dip training” because everyone in a company is at a different level of understanding and capability. There is a tendency to “tick a box” for cyber awareness training and while doing a basic course is better than nothing, doing it once a year has little impact.

Another issue is employee engagement: if you able to empower employees to undergo training most suited to them, they might buy into it more readily. Alas, when there’s economic pressure on businesses training gets cut and “nice to have” learning like cyber awareness can get pushed back. But with the increasing threat from cyber-crime, I urge companies, especially boards of directors, to take a different view: be better aware of the overall risks to your organization and ensure staff are armed to tackle cyber risk. This will protect the company by reducing the risk profile and enhance shareholder value.

An ideal approach to cyber awareness learning

So what is the best scenario for improving an organization’s cyber awareness?

For directors, a cyber-attack simulation exercise with a facilitator is an excellent starting point for raising awareness and developing the capability to respond and recover from an attack.

People working in the finance team should be trained to identify digital communications that just don’t look right, such as an email purporting to be from the CEO which is either unexpected or has attachments and links that looks strange. That means a mix of training including formal classroom activity alongside more subconsciously effective methods such as storytelling - as in AXELOS’ Whaling for Beginners, the fictional account of a cyber-attack on a CEO. Equally, visual media can tell a memorable story, such as the film False Assurance which has been licensed by all four big accounting firms, and many leading law firms, to show their staff.

Most front line staff in an organization would benefit from cyber awareness training both “little and often” and the training must recognize differences between those working at a desktop computer provided by the company and those who bring their own devices to work or operate remotely.

One company I know provides training focused on staff not opening unusual, suspicious attachments. The month following the training, staff receive a planned bogus email as part of the training exercise to see how many people open it and why. Though it’s treated as a training exercise with an amnesty first time, the company reminds people that their action was, technically, a breach of company policy and possibly constitutes a disciplinary offence under their contract of employment. That certainly focuses people’s minds.

And while many companies still trust their cyber security to technology, they must realize that people are their strongest asset for cyber resilience, if properly trained. It needs a human brain to read an email and assess whether the contents are suspect. Despite improving algorithms, most software can’t be sceptical in the same way as humans can, but the majority of companies fail to recognize this.